Phishing is when an attacker uses a cleverly crafted SMS, Email, or website to trick a user into sharing their password, identity information, credit card details, or to install malware.

Apple have recently patched three 0-day vulnerabilities that could be exploited with the initial attack vector being delivered via SMS Phishing (SMiShing). The attack had the capability of giving the attacker full remote access to the targets Apple Device. While this attack would more likely have been used on high value targets (0-days are big business), it outlines the importance of installing updates and being cautious when dealing with links in SMS and Email. If you haven’t yet upgraded your iOS devices to 9.3.5 you should do this now to ensure you don’t fall victim to other attacks that may exploit these now known vulnerabilities.

Android devices have also been exploited with SMS being the initial attack vector. While it is not actually SMiShing, the attack, known as Stagefright, requires no user interaction for an Android device to be compromised.

Other SMiShing attacks take advantage of Premium Services on your mobile. Premium services allow mobile users to buy content, such as ringtones or caller tones, purchase credits for games, or sign up for competitions. These all being charged to your monthly bill. Some Premium Services charge a one off fee, while others subscribe you to a daily, weekly, or monthly fee.

Premium Services are also used as a way to make a quick dollar from unsuspecting victims. You receive an SMS explain there is a monetary value being ‘owed’ to you. The message will then go on to say the money can be claimed by replying to the number. Of course this is a scam and replying to the SMS signs you up to a subscription based premium service. You may not even notice until your next bill.

ACMA have a good write up regarding Premium Service and can be found on their website.

How to protect yourself

Avoid opening links in SMS received from unknown sources. If the source is known to you confirm the validity of the link with them.

Avoid replying to unknown numbers – although premium numbers often start with 19, mobile numbers can also be used. Important contacts such as ATO, Banks, and Insurance companies are not going to use SMS as their first point of contact or to ask for information, or provide links.

If premium services are not required, they can be blocked from your service:

Telstra allow you to block Premium Services on your account via their website.

Optus also allow you to block Premium Service, with instructions to do so found on the Optus Website.

Slow internet connections affect those in remote areas more than anyone else. Many residents of the Weddin Shire feel this pain being limited to over-subscribed satellite connections or 3G wireless broadband connections. Another downside for users of these services is the smaller data allocation per month and a higher cost per MB.

Those of us in town are able to receive faster ADSL broadband connections – but the speeds can vary between 1.5mbps to 20mbps depending on your distance from the telephone exchange and quality of your telephone line. ADSL plans have larger download limits allowing users to use a larger range of services without interruption.

NBN will be a welcomed service to Grenfell and the Weddin Shire.

According to the NBN three-year construction plan, Fibre to the Node (FTTN) build will commence the first quarter of 2017. FTTN will cover approximately 1100 properties within Grenfell. Those outside of the town limits will be serviced with NBN Satellite.

Originally Grenfell was also to be serviced with Fixed Wireless but at this time there are no plans for Fixed Wireless in Grenfell or the Weddin Shire.

NBN Co have provided an interactive rollout map. This map can be used to advise whether you will be able to receive satellite connection.

Area to be serviced with NBN Satellite

Although the map advises that service is available – it may not be not available to all customers at this point. To find a provider and check availability please use the check your address tool provided by NBN.

The map currently doesn’t mention FTTN connections in Grenfell, but discussions with NBN Co representatives have ensured me that Grenfell areas that currently unable to receive NBN Satellite service will be serviced with FTTN when it becomes available.

Satellite not available but property to be serviced with FTTN

Any further inquiries can be directed to NBN Co via their website or calling 1800 OUR NBN.

Having a strong, unique password for each of your online accounts is a great starting point for keeping your online presence safe. However even with a strong password it is possible for an attacker to gain access to your accounts.

When signing into a website, the password you enter is turned into a ‘hash’. A hashed version of your password is also knows as a fingerprint. This fingerprint is stored in the websites database. Only when the password you enter, matches the stored fingerprint, are you logged in. Hashes of passwords are created using algorithms. This is to help protect the password if there is a data breach. If a website suffers a data breach and hashes are stolen, the attacker can potentially ‘crack’ the hashes to view the plain text password. This allows the attacker to sign into your account. Short passwords and websites that use old hashing algorithms (or no hashing at all) make it easier for an attacker to crack your password. Because many people use the same password for all of their online accounts, by cracking only one password, cybercriminals may be able to access multiple accounts. Often usernames and passwords are shared or sold on to other cybercriminals. This is why it is important to have strong password hygiene and a different password for each account.
Even with a strong password there are several ways cybercriminals can steal passwords; tricking you into installing malware or phishing your password via a malicious email or website are common. In these cases a strong password will not offer protection. This is where two-factor authentication is necessary.

Two-factor authentication increases the security of your login by requiring two factors when logging into an account. Usually the factors are your password plus another piece of information such as a onetime code. These onetime codes are most commonly provided by SMS.

SMS is the default for receiving a onetime code as most users have a mobile phone with them at all times. SMS can be an inconvenient form of delivery if you live in a black spot as you won’t receive the code required to log in to the online service.

Authenticator apps such as Google Authenticator or Authy can be setup in place of SMS and allows you to manage multiple services. The App is very easy to manage and allows a code to be generated even without network access. In addition codes are accessible instantly. The downside is you need a smart phone or tablet to install the authenticator app. If you choose to install an app like this you should ensure you have a strong passcode locking your device. If your device is lost or stolen and you do not have a passcode, it may be possible for an attacker to reset your account passwords using your phone and authenticator app. Authy allows you to backup your authentication codes so you can easily reinstall the app to a new device without having to reset your accounts.

Some services will provide a token that can be kept secure at home and which generates a onetime code. These are great for people who do not have a smartphone or tablet. The disadvantage is that the token only works for one account so multiple tokens may be required for multiple services. Tokens are often provided by financial institutions.

Two-factor authentication can seem complicated at first. I recommend trying two-factor authentication for your online banking and email address. Once you are comfortable with these two services, you should consider using it on all accounts. It is only one extra step each log in, however it offers much greater protection than passwords alone. Many online services support two-factor authentication. Some of the services include online banking, email hosted with Gmail and Outlook, Facebook and Dropbox. Online services regularly add support for two-factor authentication.

If you would like assistance in protecting your accounts with two-factor authentication or have any other questions relating to password security feel free to Contact Us.